次の方法で共有


NAP 802.1X Configuration Walkthrough – Part 1

I just got back from TechEd 2008 North America (Orlando) where I presented two “breakout” sessions on NAP. It went off with a bang and most people really loved the sessions / demos. I have blogged a couple times in the past that I would document exactly how I made it all work and now I want to come through on that promise.

Back in April of this year I created a cool 802.1X NAP Interoperability Showcase for the RSA show – it was two mobile racks (guitar racks actually) full of vendor 802.1X wired gear. I had devices from Cisco, D-Link, Enterasys, Extreme, Foundry, HP ProCurve and Nortel. I got it all working flawlessly with NAP / NPS / Server 2008! It was quite a thing to get working being a guy who deals chiefly in Windows OS’s (and not much networking hardware). After getting it all working I felt some serious love for the scenario – it is definitely my favorite flavor of the 6 NAP enforcement methods we support (DHCP, IPsec, 802.1X, VPN, TSG and Cisco NAC).

Before I head to Windows configuration, we need to talk GEAR. Here are the devices I got working in the showcase rack. I included links to my configuration files from the first five (I need to dig up the other guys too):

1. HP ProCurve 2626

2. Cisco Catalyst 3550

3. D-Link xStack DES-3828

4. Extreme Summit X450-24t

5. Foundry FastIron Edge 4802-POE

6. Enterasys 2G4072-52

7. Nortel BayStack 5520-24T-PWR

I also saved off a copy of the Network Policy Server (NPS) XML configuration file if you want to refer to it. Use caution when using these files. I don’t want you to frakk your switch! For the purposes of this walkthrough, I am going to discuss the specifics of the HP ProCurve 2626. It is a switch that is near and dear to my heart as it is the first one I ever got working. :-> Some things may vary on your brand / model.

Step 1 – Configure that switch baby

This step caused me some serious pain for a number of reasons. I was handed 7 switches with NO power cables, NO terminal cables NOR any instruction manuals. Whoa ho! “Good luck” was something I was thinking at the time. I hope you aren’t in the same boat here. :->

The ProCurve wasn’t bad at all once I found a female-to-female DB9 cable (i.e. Radio Shack). Being a Microsoft guy, I felt obligated to use Hyper Terminal (some Linux guys later informed me about PuTTY, which is pretty cool). Since Hypertrm disappeared from Vista (huh?!?), I went to my XP SP3 box and copied the required files to my memory stick (hypertrm.chm, hypertrm.dll, hypertrm.exe, hypertrm.hlp).

To get connected to the ProCurve I used 8-N-1 @ 115,200 with Xon/Xoff and VT100 emulation. Boy, this brought me back to my modem days. After hitting “connect” and enter a couple times, you should be presented with this.

By the way, you can use HP’s web based configuration interface for some stuff, like configuring VLANs, but it isn’t able to handle RADIUS configuration – which made me move right over to terminal for everything.

Here is a simple diagram of what every switch looked like. 3 VLANs total:

· VLAN 1: Management VLAN. Each of the seven switches had an IP address on the 10.x network. This is so they could do two things – authenticate to the NPS via RADIUS + relay the DHCP/BOOTP traffic to the DHCP server running on Windows Server 2008.

· VLAN 2: Compliant VLAN. AKA – the “healthy network”. Clients on this network are compliant with your policy.

· VLAN 3: Non-Compliant VLAN – AKA – the “unhealthy network”. Clients on this network are not compliant with your policy. They should not be able to contact clients in Compliant VLAN. It is also advisable to restrict what they can reach on the Management VLAN – only resources required to get them fixed up as well as infrastructure (e.g. AD).

Let’s take a look at the ProCurve configuration I am using:

Startup configuration:

; J4900B Configuration Editor; Created on release #H.10.45

hostname "HP ProCurve 2626"

ip routing

vlan 1

   name "Management"

   untagged 2,4,6,8-26

   ip address 10.0.0.2 255.0.0.0

   no untagged 1,3,5,7

   exit

vlan 2

   name "Compliant"

   ip address 20.0.0.1 255.255.0.0

   ip helper-address 10.0.0.1

   exit

vlan 3

   name "NonCompliant"

   untagged 1,3,5,7

   ip address 30.0.0.1 255.255.0.0

   ip helper-address 10.0.0.1

   exit

aaa authentication port-access eap-radius authorized

radius-server host 10.0.0.1 key secret

primary-vlan 3

aaa port-access authenticator 1,3,5,7

aaa port-access authenticator active

aaa port-access 1,3,5,7

Since I have multiple IP segments, I needed to enable IP Routing on the switch. This line makes that happen:

ip routing

Here are the VLANs. The names are self-evident. I only wanted 4 ports available for clients to authenticate with 802.1X (ports 1,3,5,7). I am not using 802.1X’s notion of port tagging the Ethernet frames, which I won’t go into here. I was going for simplicity, so I treated all seven of the switches like a completely separate network (non-routable between each switch).

vlan 1

   name "Management"

   untagged 2,4,6,8-26

   ip address 10.0.0.2 255.0.0.0

   no untagged 1,3,5,7

   exit

vlan 2

   name "Compliant"

   ip address 20.0.0.1 255.255.0.0

   ip helper-address 10.0.0.1

   exit

vlan 3

   name "NonCompliant"

   untagged 1,3,5,7

   ip address 30.0.0.1 255.255.0.0

   ip helper-address 10.0.0.1

   exit

We need to enable 802.1X on a port by port basis, as well as tell the switch how we intend to authenticate these ports. This is where we point the switch at the Windows Server 2008 machine running Network Policy Server (NPS). The shared secret I am using in this example is complex – it is “secret”. :->

aaa authentication port-access eap-radius authorized

radius-server host 10.0.0.1 key secret

primary-vlan 3

aaa port-access authenticator 1,3,5,7

aaa port-access authenticator active

aaa port-access 1,3,5,7

Make sure you commit the configuration to memory!

HP ProCurve 2626# write memory

 

 

Got more coming at you tomorrow! Stay tuned.

Jeff

Comments

  • Anonymous
    January 01, 2003
    Hace un par de semanas conocí ( vía MSN) a Elias , por un post que hice y desaparecí al mismo tiempo

  • Anonymous
    January 01, 2003
    Ask the Directory Services Team : Custom Certificate Request in Windows Vista Microsoft Security Development

  • Anonymous
    January 01, 2003
    NAP 802.1X Configuration Walkthrough – Part 2 This is a continuation from Part 1 . Step 2 – Windows Server

  • Anonymous
    January 01, 2003
    You're welcome David! We are in the middle of a big office move to a new part of the Microsoft campus. As such, I can't get to the Nortel switch! I will should be able to in a couple weeks though. Your Win2K DC shouldn't be a problem, agreed on the GPO configs... Jeff

  • Anonymous
    January 01, 2003
    This is a continuation from Part 1 and Part 2 . Step 3 – NAP Clients, it’s just too easy NAP can be configured

  • Anonymous
    January 01, 2003
    Hace un par de semanas conocí ( vía MSN) a Elias , por un post que hice y desaparecí al mismo tiempo

  • Anonymous
    June 20, 2008
    Great that you are doing this walk through, thanks. I've tried to do a 802.1x IAW with the lab guide but with no Joy. I either have a switch config error, so finding your Nortel config file might help me out heaps OR Having a Windows 2000 DC in the mix is hosing me as we can't do 2003 Functional Level until we get rid of the old DC. I'm told that functional level will only stop the GPO Configs, so I eagerly await a look at your 5520 Switch config Thanks again